RE: win32 exploit development - weirdness??

["Jose Ignacio Sanchez" <sanchez () osha eu int>]

It is possible that the return address to your shellcode changes when the
debugger is not attached.

So you are jumping to another place and the program crashes.

... just an idea... :)

BR

Topo[LB]
  -----Original Message-----
  From: full-disclosure-bounces () lists grok org uk
[mailto:full-disclosure-bounces () lists grok org uk]On Behalf Of RaMatkal
  Sent: martes, 27 de diciembre de 2005 13:55
  To: full-disclosure () lists grok org uk
  Subject: [Full-disclosure] win32 exploit development - weirdness??


  having one of those days....im about ready to put my foot through my
computer....

  writing stack overflow on win32 arc...

  i overflow eip with a pop/pop/ret, jump to my bind shellcode and im
away.....all works perfectly but....

  when i attach to the process with my debugger and step through the
exploit, it works 100% of the time....however, when i try and exploit the
server without the debugger attached, the service just seems to crash.....

  anyone have any idea what could cause this sort of behaviour?
  anyone have an idea how i can take a look at what is going wrong?
remember, when i attach my debugger it works!!!

  Thanks in advance,
  RaMatkal

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/